Introduction
Cybersecurity experts recently uncovered a stealthy Python-based backdoor framework dubbed DEEP#DOOR. This malicious tool is designed to establish persistent access on infected machines and systematically harvest sensitive data—including browser credentials and cloud service logins. In this guide, we will break down each phase of the attack chain, from initial execution to data exfiltration. Understanding these steps helps defenders recognize the threat and implement effective countermeasures.
What You Need
- Basic understanding of Windows security controls (e.g., User Account Control, Windows Defender, firewall rules).
- Familiarity with Python scripting and common obfuscation techniques.
- Access to a sandboxed analysis environment (e.g., VM, sandbox) to safely simulate the attack.
- Network monitoring tools (e.g., Wireshark, tcpdump) to observe traffic to tunneling services.
- Endpoint detection and response (EDR) knowledge to spot behavioral anomalies.
Step-by-Step Attack Breakdown
Step 1: Initial Execution of the Batch Script
The intrusion chain begins when a user unknowingly runs a batch script named install_obf.bat. This script is often delivered via phishing email attachments, malicious downloads, or compromised websites. Once executed, it serves as the gateway for the entire attack.
Step 2: Disabling Windows Security Controls
The batch script immediately attempts to disable several Windows security mechanisms. Common targets include:
- Windows Defender real-time protection
- User Account Control (UAC) prompts
- Firewall rules that might block outbound connections
- Automatic updates and threat definitions
By suppressing these defenses, the backdoor can operate without triggering alarms or requiring user intervention.
Step 3: Dynamic Extraction of the Python Payload
After disabling security controls, the batch script dynamically extracts a Python-based payload from within itself or from a remote server. This extraction often uses obfuscation techniques—such as base64 encoding, XOR encryption, or compression—to evade static antivirus scans. The extracted code is then saved to disk (e.g., as deepdoor.py) or loaded directly into memory.
Step 4: Establishing Persistence
To ensure the backdoor survives a reboot, the script creates persistence mechanisms. Common methods include:
- Adding a registry run key (e.g.,
HKCU\Software\Microsoft\Windows\CurrentVersion\Run) - Scheduling a task via Task Scheduler
- Installing as a Windows service
Persistence ensures continuous access even if the system is restarted.
Step 5: Connecting to a Tunneling Service
DEEP#DOOR uses a legitimate tunneling service (such as ngrok, Cloudflare Tunnel, or similar) to establish outbound connections. This technique hides the malicious traffic within normal HTTPS communications, bypassing corporate proxies and firewalls. The backdoor contacts the service’s API to create a tunnel endpoint, then listens for commands from the attacker’s command-and-control (C2) server through that tunnel.
Step 6: Harvesting Browser and Cloud Credentials
Once connected, the backdoor enumerates installed web browsers (Chrome, Firefox, Edge) and extracts saved credentials from their password managers and cookies. It also targets cloud service clients such as AWS CLI credentials files, Azure PowerShell profiles, and Google Cloud SDK configurations. Stolen data is typically packaged into a JSON or compressed file.
Step 7: Exfiltration via the Tunneling Service
Finally, the harvested data is uploaded through the established tunnel to the attacker’s C2 server. Because the traffic passes through a legitimate tunneling service, it blends in with typical business cloud traffic, making detection by network monitoring tools difficult. The attacker can then sell the credentials or use them for lateral movement and additional breaches.
Tips for Detection and Prevention
- Monitor for unusual batch script executions – Pay attention to any
install_obf.bator similarly named scripts starting from suspicious locations (e.g., %TEMP%, Downloads). - Enable advanced logging – Track process creation, registry modifications, and scheduled task changes. Look for scripts that attempt to disable Windows Defender via PowerShell or command line.
- Inspect outbound connections to tunneling services – If your organization does not use ngrok or similar tools, block their domains at the firewall and monitor for any usage.
- Implement least privilege access – Restrict user permissions so that even if an account is compromised, the attacker cannot disable security controls or install persistence.
- Use EDR tools with behavioral analysis – Solutions that detect unusual process chains (e.g., cmd.exe spawning Python scripts that then access browser data) can flag this attack.
- Educate users – Train staff to recognize phishing attempts and avoid running unexpected batch or executable files, even if they appear legitimate.